How to Lead During a Data Breach

In 2007, I wrote a case study for Harvard Business Review, “Boss, I Think Someone Stole our Customer Data.” Now six years later, an actual event has occurred that is eerily similar to that fictional scenario: a trusted retailer’s point-of-sale system security was breached and a large amount of customer data may be compromised.

In the current situation, the retailer is much larger as is the number of accounts affected. The New York Times reported that as many as 40 million customers may be affected by the data breach at Target. This makes it the third largest in history. The breach is reported to have started just before Thanksgiving and continued until December 15 – right in the heart of the most important selling season of the year. Full disclosure: Target executives have attended the executive education program where I am Director of Research. I worked with Visa on its Data Security Summit in 2007. I also hold a card that may have been compromised.

The investigation by law enforcement officials will determine who is to blame. Executives in any business, however, can learn valuable lessons in crisis leadership:

One critical concept that we share with the participants in the National Preparedness Leadership Initiative (NPLI) at Harvard is that every crisis includes many situations, each with different contingencies and considerations. In this case, they include security, legal, law enforcement, customer relations, media, shareholder, employee, the board, card issuers and providers, regulatory, and more. While there can be overlap, each of these situations has a distinct (and sometimes conflicting) set of stakeholders, power structures, priorities, perspectives, interests, requirements, and values. For example, Communications may want to be immediately open and transparent while Legal may want to wait to more fully assess the liability exposure that such a stance could create. They each have a legitimate case. Navigating this complex web of interdependent relationships is daunting in routine times. In a crisis of this magnitude, the added pressure and higher stakes can make it overwhelming. How can an executive successfully lead through such a complex morass?

The first step is to ensure certainty about the values that will drive decision making. In this case, trust should be the “true north” for Target in its dealings with its many stakeholders. The breach itself and the fact that the source of the disclosure was a blogger, not the company, were both hits to Target’s perceived trustworthiness. Company executives should recall the key lesson from the famous Johnson & Johnson response to the Tylenol scare in 1982: CEO James Burke saw that the most important objective was to restore the confidence of customers and other critical stakeholders, and moved aggressively to do that. If there is a short-term financial hit, take it and move forward. Clearly shared values among leaders in the business can help prevent or resolve conflicts as operational options and objectives are weighed.

The second step is to map the constellation of situations and their stakeholders. This can be done on a white board or sheet of paper. It doesn’t require a lot of detail; the purpose is to fix in your mind the awareness that you are dealing with a complex, dynamic problem. The angle you overlook in the crisis may be the one that causes the greatest damage in the end. Always remember that the original event – here, the data breach – is one crisis but the response may ignite a series of secondary crises if not handled well. (Remember Katrina.) This is particularly true in crises where the media takes an interest. Media stories will help shape the perceptions of many stakeholders and this, in turn, will set attitudes and interactions going forward. Many of these factors are beyond your control, but they are rarely outside of your sphere of influence.

With that situation map drawn, look for gaps in your crisis response: something not planned for or a need not met in the heat of action. After all, no action plan gets everything just right. It is critical to perceive the weak spots or holes in your efforts and take mitigating steps. Figure out who has something to give to close a gap – from tangible assets to moral and reputational support -and who needs to get something to do the same. Playing problem-solution matchmaker between “gives” and “gets” helps you to leverage and optimize resources in dealing with the many crisis situations.

The crisis will evolve over time and so must your perception of it. Target likely took action and had a disclosure plan prior to yesterday’s revelations in the media. However, an influential security blogger’s post followed by national and international media attention changed everything. The challenge for company leaders was then to re-orient the response to an increased pace with altered dynamics; control of messaging shifted from the company to news outlets. Embracing the patterns of this new reality, a leader must anticipate what is likely to happen next. Only then can he or she take the right steps. This is a continuous loop of adaptive thinking — perceiving, orienting, and predicting – and acting – deciding, operationalizing, and communicating.

The final lesson from this incident is “never say never.” Target is a company that takes security and customer trust seriously. The payment card industry has a rigorous set of standards, procedures, and protocols, and penalties for non-compliance, that are in use with virtually all major merchants in the United States. Yet breaches still occur. The United States is a particularly rich target because our credit and debit cards rely on magnetic strips rather than chips for validation; it is an old technology – though when paired with new fraud monitoring technologies it has kept actual fraud at bay. But these cards are easier for criminals to duplicate than chip cards, which makes them a more tempting target.

Your business or industry likely has corresponding vulnerabilities. In an increasingly complex and turbulent world, any day could be the one that your career or even your company depends upon your skill leading through a crisis. Are you ready?

Eric J. McNulty is the co-author of “Renegotiating Health Care: Resolving Conflict to Build Collaboration”. He is director of research and professional programs at the National Preparedness Leadership Initiative, a joint program of the Harvard School of Public Health and Harvard’s Kennedy School of Government.